Blog Archives

This week thanks to, Microsoft's IE 8, a followup story I did about it and a blog post yesterday I had on another clickjacking issue - this is a type of attack that is top of mind for me. With clickjacking, a user clicks on something that has a hidden element behind it that in turn triggers an unexpected action.

After my post yesterday, I was made aware of some research by James Padolsey clearly showing how a Twitter clickjack can be performed.

Basically what happens is when the user clicks a button an -unintended- message is tweeted. You need to be logged into the Twitter.com web interface for this 'attack' to work. If you're on Firefox, the clickjack is clearly identified by using the NoScript add-on ( click the screen shot below).

This isn't a flaw in Twitter persay, it's more of a browser issue. That said if you're logged into the web interface of Twitter in one tab and doing other things in another tab well..you could cause a little trouble (but just a little). Might also be a good cause for pause for Twitter user to think about using a Twitter client (I'm currently using Twhirl) which would also mitigate the risk since a web click wouldn't translate over to the client.

There are legitimate reasons why someone would want to click from one page to post to Twitter though (without having to hide it as a clickjack that is). For example if I want you (yes you dear reader) to retweet this page:

Security researcher Aditya Sood posted a new clickjacking advisory early this morning affecting the Firefox 3.0.5 and Google Chrome web browsers. Sood did us all a favor though and posted a very clear Proof of Concept page (PoC)that clearly shows what's going on.

Just to backtrack (no pun intended) for a sec - clickjacking is a new attack vector where a button/element is hidden underneath a legitimate element. The end result being that a users click has an unintended result. Microsoft claimed earlier this week to have clickjacking protection in IE 8, a claim that some have issue with as per a story of mine up now.

So back to the PoC here we go there is a simple href linking out to Yahoo! :

In the PoC itself, Sood clearly shows in the text description that xssed.com is the target but if you do check the status bar of your browser it will just show yahoo.com - which is all the href has after all.

So what's happening is a simple onclick event that Sood has called -clickjack_armor(event) - which calls the hidden frame (mydiv) element which sources xssed.com.

It's really quite simple.

If you're running Firefox without NoScript (and hey you really should run NoScript) this is a problem at least on the Firefox 3.0.5 version that I tested. On Google Chrome 1.0.154.46 (which is the latest stable release), I also tested the PoC and it also worked.

It does not however affect Microsoft IE - and I'm talking about IE 7 here so Microsoft's new anti-clickjacking for IE 8 approach is not in play. This is a Javascript validation issue.

This is an issue that is trivial to exploit, though it does require user action (that is user must click). It also means that the user is on a site that has been compromised (or is malicious in some ways) since why else would anyone hide a frame in that way?

Also this attack vector as demonstrated by the PoC is not 'stealing' user credentials (yet) but could easily be part of a more sophisticated blended phishing attack.

Today is Data Privacy Day which is an event that is supposed to help raise awareness and promote discussion.

So here's my discussion.

The first step to data privacy is to take it seriously yourself. While it's critical that big web sites like Google and others do the right thing when it comes to data privacy, it's also important that users protect themselves.

The two most basic things that I see all the time that puts users at risk include:

1) Logging into websites that don't have SSL/HTTPS2) Not cycling passwords regularly

If you log into a website or service that doesn't encrypt your credentials then anyone on the wire can sniff out that password. It's not that hard to too.

Keeping the same password for a long period of time or making it easily guessable are also bad moves - just ask Alaska Governor Sarah Palin.

So in honor of this Privacy Day I leave you with one simple suggestion: change your passwords today.

Juniper Networks has named Lauren Flaherty as its new executive vice-president and Chief Marketing Officer. According to Juniper's release on the appointment, Flaherty most recently served as CMO of Nortel Networks from 2006-2008.

Yes that Nortel. The same one that just recently filed for bankruptcy protection.

Nortel aside, Flaherty spent the previous 26 years at IBM.

"While at Nortel,
Flaherty created a fully integrated marketing function that represented
all lines of business, and created Nortel's first Global Marketing
Board, which enabled the development of marketing investments that were
fully aligned to sales and the company's strategic objectives," Juniper's announcement releasestates. "Flaherty
also led many of Nortel's strategic business initiatives, including the
company's first global Enterprise campaign, leadership of the company's
green marketing initiatives and its bids for sponsorship of the
Vancouver 2010 and London 2012 Olympic Games."

Nortel sure has let a lot of good people go.

For Juniper this is a solid move though not sure what it means for their current CMO Penny Wilson. Wilson is still listed (as of 9:45 AM ET) as being the CMO. I never had the opportunity to work with or speak to Wilson, though I met her predeccesor Jeff Lindholm once.

It will be interesting to see if Flaherty goes after her former company (Nortel) now that it's in trouble.

There aren't too many Easter Eggs in Google Chrome, but one of the most well known ones is being removed in the new Chrome 2.0.159.0 dev-channel release. The about:internets (try it out on a pre-2.0.159.0 Chrome release) which has a cool snafu animation of the 'tubes' that make up the internets.

The reason why Google Chrome devs are removing the egg though is very telling of the direction that Chrome is headed.

[r8283] Remove the about:internets page. It interferes with porting to Mac and Linux. No moar tubez. kthxbai.

So, Google is further tightening up Chrome to get it ready for Mac and Linux! Too bad the tubes had to go, but hey maybe we should be looking for something else....

Mozilla is throwing down the gauntlet in the battle for open video on the web with a $100,000 grant to the Wikimedia Foundation in support of the development of Ogg Theora. As opposed to Windows Media, QuickTime and other popular video formats, Ogg is based entirely on open standards and isn't supposed to include any proprietary codecs. This means that video can more easily be distributed and more importantly perhaps more easily be integrated directly into the browsing experience.

"Our commitment to the success of open video on the web requires that we select codecs for Firefox that are usable by everyone, without restriction or licensing fee. To that end, we've chosen Theora as the format for Firefox 3.1," Mozilla's Mike Shaver blogged. "We believe that Theora is the best path available today for truly open, truly free video on the internet."

Firefox 3.1 includes support for the HTML 5 <video> tag which allows for video embedding. It's a big deal from a development point of view that could end up pushing video even further into our regular browsing experience.

As a Linux user, Ogg is something that I use and am familiar with. On the Windows side though, Flash, Windows Media clearly dominate but perhaps with this new Mozilla funded push things will start to change.

Linux creator Linus Torvalds has helped to re-ignite interest in the on again/off again public flame war between GNOME and KDE Linux desktop users. Torvalds gave an interview in Australia last week where he noted that he had chosen to go back to GNOME after a negative experience using the KDE 4.x desktop.

Frankly I'm not surprised since I did the same thing. I had been a loyal KDE user for nearly 10 years and then switched in mid 2008 back to GNOME as my everyday desktop.

KDE developer Aaron Seigo is now offering his views on Linus' choice as well as some promises for the future. Though Seigo isn't happy with Torvalds comments, he correctly notes that Torvalds is only one user.

"I don't like losing any user, though, and such a happening can be deflating and make one second guess what they are doing (which isn't an entirely bad thing either, as long as it doesn't result in bad decision making or paralysis)," Seigo blogged.

Seigo added that KDE 4 was about the future, a future that will be more fully realized with the upcoming KDE 4.2 release.

"KDE 4.2 is a phenomenal release and unlike KDE 3.5, which was also a phenomenal release, this new release is a platform that we can successfully build on and compete in the market with for the next decade," Seigo stated.

OpenSUSE 11.1 which is already out, includes some KDE 4.2 backports and in my limited usage of the distro found it to be a very good desktop experience.

I don't know that the KDE 4.2 will be enough to sway long time GNOME users to KDE. However, I strongly suspect that it will make those that have switched from KDE to GNOME to second guess themselves and give KDE another chance - I know I certainly will.

Google is out with its fourth update for the Chrome browser this year updating the dev-channel version to 2.0.158.0. The new Chrome browser might end up being a help in the fight against bad MD5 certificate usage.

The new version is mostly a bug fix for WebKit issues that were introduced by Google updating to a new version of WebKit for recent releases.

"...those changes may improve layout on some sites, but are mostly minor tweaks you won't notice," Mark Larson, Google Chrome Program Manager blogged. "That's a roundabout way of saying, we probably didn't fix the issue that's been bugging you the most this week."

A closer look at the release notes for the 2.0.158.0 release reveals that there is one other key issue addressed by the update:

MD5.

I first reported on problems with the MD5 encryption back in 2004. Fast forward four years and apparently people were still using MD5 to sign their SSL certificates- and that's not a good thing.

So Google has added a little feature that will track how often Chrome users are encountering MD5 certificates. This is a good thing and hopefully will end up being part of the broader solution for getting rid of MD5 for SSL.

The Apache HTTP open source web server (I usually just call it Apache, but Apache is more than just web servers these days..) gained over a million new sites for the month of January 09, according to the latest stats from Netcraft.

The Netcraft study does not measure the number of actual Apache installations (that is physical machines) but rather measures the number of sites (essentially domain names across all TLDs) that are being hosted on a particular servers. For January of 2009, Netcraft reported that Apache gained 1.27 million sites while

Microsoft's IIS lost just over 2 million sites.

All told Apache now accounts for nearly 97 million sites or just over 52 percent of all sites measured by Netcraft. Microsoft's IIS still holds down second with just over 61 million sites or 33 percent of the Netcraft survey.

While it's interesting to note that Apache still is the majority - Microsoft's share is certainly still large and impressive. Added to that is the fact that in recent years a new challenger has emerged in the form of Google with its GFE (Google Front End) web server. In the January 2009 Netcraft survey GFE represented over ten million sites.

Lighthttpd which is a neat project that I track is just starting to show up to with nearly 3 millions sites.

Open Source thrives on participation. Not everyone has the skills/time/interest in directly participating with code validation and contributions but there are other ways to participate.

Mozilla is ramping up on a new way to engage and learn from its user community. The new effort is called Mozilla Test Pilot and that basic idea is that it will solicit structured feedback for Mozilla about its products.

It's a neat idea - but it's also an idea that needs leadership, which is something that Mozilla is also seeking for Test Pilot.

No doubt Mozilla already gets a fair share of feedback through bugzilla and other mechanisms, but the key for Test Pilot will be the 'structured' feedback on specific areas that the leadership of Test Pilot deems necessary.

The really tricky part in my view will be to get that representative number of Mozilla users to actually participate. I've always had the opinion that the vast majority of Firefox users are a silent majority. They vote by usage not with their words, how to translate that into actionable activities is no easy task.

InternetNews.com has learned that Lucid Imagination, a new venture to provide commercial support and services for the open source Apache Lucene text search engine is ramping up with an official launch on January 26, 2009.

Apache Lucene is a critical Apache project used by many to integrate search features into their applications.

Key Lucene contributors Grant Ingersoll, Erik Hatcher, and Yonik Seeley are also part of Lucid Imagination and are likely to provide the link between the commercial side of the company and the Lucene community. Lucid Imagination is also expected to build a commercial version of Lucene that will be back wit support and services.

This is a great thing for Lucene and can only help to further its development and increase adoption. My only concern is that Lucid Imagination not fork Lucene with a significant amount of proprietary development that doesn't end back in the mainstream Lucene release.

As a Linux user, I'm always seeing some kind of FUD out there that Linux users are being short changed out of ..something. In today's case the FUD was surrounding the Inauguration of Obama, an event that was streamed live via multiple sources including the Presidential Inauguration Committee (PIC). The problem with the PIC feed is that it was broadcast using Silverlight 2.0 which isn't yet available on Linux.

So the Moonlight (Silverlight on Linux) people led by Novell's Miguel de Icaza literally burnt the midnight oil last night to get something together that would work on Linux.

Sounds good right? It is but..

Let me tell you how I watched the streaming video. On an Ubuntu Ibex (just what I booted today I've got a multiple boot system and use multiple Linux distros..), I simply went to CNN and clicked on their Live video stream.

Guess what? It worked.

No I didn't load in Moonlight/Silverlight. CNN was just using their everyday Flash based streaming tech (and hey who doesn't have Flash today) and it worked well without issue for me at all.

So while Silverlight/Moonlight is all fine and nice and the late night efforts by Novell to get things to work are interesting - sometimes all you need is rock solid cross platform technology like Flash to get the job done.

I would hope that moving forward Obama and his communications team choose technologies that are cross platform and more importantly - already exist without the need for late night crunches.

Netscape - now dead and departed in most respects - is a company that played a key role in the open source revolution by opening up Mozilla in 1998. Not all of Netscape was open sourced in 1998. The Directory Server wasn't open until fairly recently when it was acquired and open sourced by Red Hat in 2005. But what about Netscape's webserver - their so-called Netscape Enterprise Server?

Turns out it morphed into iPlanet Web Server during the Sun/Netscape alliance era, then it was called SunONE Web Server and now its called the JES Web Server.

Now today here in 2009 that webserver is finally being open sourced (under the BSD license).

Apparently the open sourcing came as the result of Sun engineer Brian Aker who currently leads Sun's Drizzle open source database effort.

"At some point last year I met up with a group in Menlo Park who had been working on a webserver at Sun. Low and behold it was the evolutionary grandchild of what was the Netscape Enterprise Server," Aker blogged. "After talking to the engineers I wrote a few internal letters to see if we could push the code out as BSD so that others could learn/use/maybe even migrate if they wanted to. I am happy to say that Sun has decided to make the release happen."

This is a good thing since I remember well being a fan of the iPlanet Web Server years ago. Sure we've got Apache and LightHTTPD (which is awesome), but there might well be some nuggets of wisdom that can be gleaned here.

This is also the RIGHT THING to do and we should all be thankful that Brian Aker noticed this server and asked for it to be openned up.

Google is updating its Chrome browser to version 2.0.157.2 (that's the dev-channel release) to fix a pair of crash conditions. One of them was triggered by the Safe Browsing phishing filter -the other by a cursor...

The cursor issue is particularly interesting to me. The actual bug report has a tonne of detail on this, but in a nutshell a custom cursor that gets created by WebKit (Chrome's rendering engine) is to blame for the crash that is now fixed. Goes to show you that even the smallest things - like a cursor - can be at the root of browser errors.

The 2.0.157.2 release comes about a week after the 2.0.157.1 release, the first in the 2.x series for the dev-channel version of Chrome.

InternetNews.com has learned that a new survey set for official release on January 20th will report that 40 percent of open source project developers are planning on cloud deployments for their projects.

The data comes from a survey of 360 developers conducted in November 2008 by Evans Data. The biggest winner in terms of what cloud service developers plan to use is Google's App Engine at 28 percent of respondents. Amazon came in second at 15 percent.

Not surprisingly developers 52 percent of developer claimed to be using a virutalized Linux environment and over half are using the MySQL database.

It all seem fairly obvious to me.

Apps Engine is free so it makes for an easy choice to get started with the cloud, though Google does not use MySQL for its database back end - instead App Engine uses Big Tables (which frankly I still don't quite understand how to use as well as MySQL). The cloud after all is really what? A fancy new term for distributed hosting? It makes sense to want to offer apps as a service and it makes sense to want to do it cheaply on massively scalable platforms like Google and Amazon.

Google's Jaiku microblogging service is about to get a big changeover. It's being moved to Google Apps, going open source and oh yeah, Google isn't going to develop it anymore.

Google acquired Jaiku in 2007, but Jaiku never really was a challenger to the micro-blogging king - Twitter.

"While Google will no longer actively develop the Jaiku codebase, the service itself will live on thanks to a dedicated and passionate volunteer team of Googlers.
Vic Gundotra, Vice President, Engineering at Google blogged. "With the open source Jaiku Engine project, organizations, groups and individuals will be able to roll-their-own microblogging services and deploy them on Google App Engine."

Now that's interesting.

Google wasn't able to make a go of Jaiku on their own - but as an open source effort that can be used as a roll your own Twitter, that could be very cool.

I can think of plenty of reasons why an organization would want their own specific microblogging service, customized and privatized to their needs. While Jaiku did not beat out Twitter for the hearts and minds of the general public, I suspect that an open source Jaiku could make some real inroads in the custom development space where Twitter does not exist.

Nokia is going to change the licensing for Qt (the open source graphics toolkit) from GPL to LGPL starting in March of this year with the Qt 4.5 release.

This is a BIG deal. The GPL license is more restrictive than the LGPL (lesser GPL) in how it is enabled to integrate with other non Free software. With the LGPL, Qt might be able to be more easily integrated (from a legal point of view) with a wider range of software. Qt has been available under a commercial license as well, but that presents its own set of issues and limits Qt to commercial software.

"By moving to LGPL, opening Qt's source code repositories and encouraging more contributions, Qt users will have more of a stake in the development of Qt, which will in turn encourage wider adoption," Kai Oistama Executive Vice President, Devices, Nokia said in a statement.

The move to LGPL could also potentially pave the way for Qt to become a more disruptive force in cross-platform development (Mac, Windows, Linux, Mobile), though I have not seen any specific examples of how the GPL may have limited Qt's usability on the desktop. The mobile space with its myriad proprietary drivers is a different beast and the move to LGPL is one that could have significant benefits for Nokia, very rapidly.

Though Sun recently shed thousands of jobs, it's actually now hiring - well for at least one key position. Sun is looking for a Software Senior Staff Engineer to work on the MySQL open source Drizzle project.

Drizzle is an effort launched last July to create a more slimmed down version of MySQL. At first it looked like just a pet project of developer Brian Acker, but now with a new staffing position opening up for it, I suspect that Drizzle is getting a lot more serious.

There are also some keys in the job posting about where Drizzle is headed. The job posting notes that the job entails working on a next generation database to deliver as a service for cloud computing.

If you've got six plus years of experience with C, C++, PHP and Perl, a strong background in web services and database technologies,application development, testing and benchmarking , Solaris and Linux experience - well this might be a great opportunity for you. The full job posting is linked here.

Fedora Project Leader Paul Frields has named the winner of the Fedora 11 naming sweepstakes...and the winner is: LEONIDAS. Leonidas (and his band of over 300) beat out Blarney, Brasilia
Claypool,
Duchess,
Euryalus,
Indomitable, and
Zampone as the name for Fedora 11. The Fedora Project started the voting on the name for Fedora 11 in early January (ohh and for the record I picked Leonidas as my fav back on Jan 5th).

Though many of us think of Leonidas as the Spartan hero (a legend that was recently on the big screen in the movie 300), Red Hat Fedora's wiki describing the names does not list that connection. Instead the wiki states:

Leonidas was a ship in the Union navy

OK then. Whatever the context, Leonidas is the name. No doubt there will be plenty of room to make comparisons to the Spartan hero and try and put Fedora in the same shoes.

Will Fedora Leonidas hold of the hordes of Xerxes (Windows7) at the gate?Will Fedora Leonidas benefit or hurt from the efforts of its fellow Greeks (Ubuntu Jaunty)?

Only time will tell whether or not this distro will be "heroic" or not. Fedora Leonidas is currently scheduled for a May 26, 2009 release.

Google Chrome which 'just' hit version 1.x last month has now jumped ahead and is now at version 2.0.156.1. Google is also now splitting up its releases into three public versions (from two) so there will now be a stable, dev and a beta version (confused yet?)

The new 2.0.156.1 release is a dev-channel release but Google is warning that it isn't particularly stable.

"If you're ready to try some new stuff, we've just released a Dev
channel update that has a new version of WebKit, a new network stack,
and some features like form autocomplete." Mark Larson, Google Chrome Program Manager wrote in a blog post."It's less polished than what Dev channel users have been getting during
Google Chrome's Beta, so we've moved all of our existing Dev channel
users to the Beta channel."

Three versions? Really? Firefox users have stable which is now the Firefox 3.0.5 release, a Beta with the 3.1 Beta 2 and then I suppose the Mozilla version of dev are the nightlies, so Google's approach isn't all that strange.

As for what's new in the bleeding edge 2.0.156.1 release, the big jump and the reason for the numbering change is a new version of WebKit - specifically WebKit version 528.8 revision 39410. The new version of WebKit has support for full page zoom, autoscroll, CSS gradients and CSS canvas drawing.

Even more impressive perhaps is that Google Chrome 2.x has support for Google's own version of HTTP. Google had been using the WinHTTP library but have now come up with their own implementation that will eventually be able to work on Chrome versions for Mac and Linux as well. No official word yet however on when a Google Chrome for Mac or Linux is actually coming.

Google has also added support for a very high degree of customization - not quite add-ons yet - but something a little more interesting in some ways. Chrome 2.0.156.1 has user script support so a users could run their own code inside of the browser (similar to the super-popular Firefox Greasemonkey add-on).

There is also support for multiple browser profiles, so you could have different bookmarks etc loaded for a particular session.

On the security side there is a HTTPS-only browsing mode. This is something that I personally think is awesome and should be a 'must-have' for all browser vendors moving forward. According to Google's release notes:

"Add --force-https to your Google Chrome
shortcut, and it will only load HTTPS sites. Sites with SSL certificate
errors will not load."

All told it is A LOT of stuff.

So yes, it's a huge jump to go from a 1.x release to 2.x in a short period of time, but considering all the innovation in this new version it is definitely a valid jump.

If Google keeps up this pace who out there thinks we'll see Chrome version 8 before we actually see IE 8 come out of Beta?

I remember well the day in 2006 when I saw Nicholas Negroponte (image: left) take the stage at LinuxWorld Boston (the last time the show was ever held in that town) talking about One Laptop Per Child (OLPC) aka the $100 laptop. There was tremendous optimism then, both for the hardware and its open source Linux operating system.

Today much of that optimism has died.

Negroponte's OLPC is cutting half its staff (so he's left with 32 staff members), reducing salaries for existing staffing and giving up on its Sugar Linux operating system.

This doesn't mean that OLPC has necessarily failed in its mission.

"The fact that there are 500,000 children around the world who have laptops is testament to their extraordinary work and is already a key part of OLPC's legacy," Negroponte wrote in a statement. "Separately, OLPC will be dedicated to bringing the cost of the laptop down to Zero for the Least Developed Countries - the $0 Laptop."

Since Sugar is open source, I strongly suspect that development will continue in the community. So the OS itself won't die out if users don't want it too.

In my view the OLPC dream was a goal that might have survived were it not for the global economic meltdown. As it is, the dream of cheap computing has changed thanks to the innovation of netbooks which is something that didn't exist back in 2006. OLPC might well re-emerge as a force for change in time, but for now, it's a dark time for those that worked hard on the project that now are left without jobs.

In my opinion, one of the greatest innovations of the Firefox 2 release was the inclusion of Tab Overflow. For the first time I could actually handle as many open browser tabs as I wanted. While Mozilla introduced Tab overflow in 2006, here we are in 2009 and Google Chrome doesn't have that feature. For someone like me that often keeps 10+ tabs open at any one time this is a (minor) problem.

With the latest stable Chrome build 1.0.154.36 running at a screen resolution of 1024x768, I actually lose any tab identification (favicons included) at the 29th open tab. (check out the screenshot to see what i mean).

In practical terms this means that Chrome is only really usable for less than 29 tabs. Both Firefox and IE have Tab Overflow so users can get more than 29 tabs. It's a situation that Google is aware of and is apparently working on.

In fact Google has Ben Goodger formerly of Mozilla Firefox fame, working on the issue.

"We don't have a complete system for handling many open tabs right now. We let tabs grow infinitely smaller," Goodger wrote in a blog posting."This ends up looking bad when there are a very large number of tabs open. We chose not to go with an overflow menu or scrolling tab strip like in some other browsers because we think there are other usability problems with those approaches."

What Firefox does (and what I personally really like) is a Tab strip where you can scroll left or right to see overflow tabs. There is also a Tab pulldown to vertically scroll through all your open tabs. I personally don't understand Goodger's objection to replicating the Firefox approach for Chrome. Here's what he said about it:

"We also don't really like the drop-down menu approach as it has a
spatial disconnect (vertical scanning vs. horizontal tabs) that makes
it clumsy to use quickly," Goodger commented. "In the end, we would like a system that
doesn't over-zealously clip tabs out of the tab strip so that people
with many tabs can still access their tabs with one click."

I will be keenly looking on the dev tree to see how Google ultimately decides to implement Tab Overflow. If in fact they succeed in doing something better than Firefox's approach that would be a tremendous thing for users like me that just can't get enough of Tabs.

Debian developers have voted in favor of a General Resolution that will allow the Debian Lenny release to go forward. The hangup as I wrote about a few weeks back was over the inclusion of potentially non-Free software. Debian has some strict language and policies as part of its Social Contract which guide the project and inclusion of software components.

"Since the election concluded, several developers have asked for some statement from the DPL and/or Secretary as to what this result really means," Bdale Garbee wrote in an email to Debian developers. "This result means that the Debian Lenny release can proceed as the release team has intended, with the kernel packages currently in the archive."

While the intricacies of Debian politics have always been 'interesting' to say the least - this latest round has got the eye of Linux Foundation CTO Ted Ts'o. Personally I had always thought that the Linux Foundation was supposed to be an advocating voice for Linux, but Ts'o in a personal blog post laced with literary and biblical references criticizes Debian. Here's one small excerpt :

"I personally believe that '100 percent free software' is a wonderful aspirational goal, but in particular with regards to standards documents and firmware, there are other considerations that should be taken into account," Ts'o wrote. "People of good will may disagree about what those exceptions should be, but I think one thing that we should consider as even higher priority and with a greater claim on how we behave is the needs of our users and fellow developers as people. For those who claim Christianity as their religious tradition, Jesus once stated..."

The wonderful thing about Linux is that there is a distribution out there for everyone.

Debian fits a need for many thousands of people and has for over a decade with its Social Contract met those needs. Other distros like Red Hat, SUSE and Ubuntu meet the needs of others that perhaps aren't as interested in philosophy or the ideals of 100 percent Free Software.

To each their own. If there is something you don't like about a particular distro choose another - or if you're so inclined start your own. That is the true strength of software freedom, the fact that users have choice.

Just yesterday I blogged about the Mozilla Ubiquity 0.1.3 release - today Mozilla is out with 0.1.4 which is labeled as a hotfix release. Ubiquity is a Mozilla Labs project that provides a Firefox add-on with semantic web-type capabilities.

The Ubiquity 0.1.3 release added new skinning capabilities by way of CSS allowing for more customization of the Ubiquity window. It looks like there are already a few complaints on the main Ubiquity discussion forum about the 0.1.4 release too, so don't be too surprised if we see a 0.1.5 release soon.

While many people were out last week (myself included), Mozilla Labs developers were not. In fact they managed to push out Mozilla Ubiquity 0.1.3 on Dec 30th which provides a slick user interface overhaul for the semantic web tool.

Basically Ubiquity now can be easily skinned by anyone with a little bit of CSS skills. Developers are also claiming that Ubiquity is now faster and that it is more intuitive as well by recalling used commands, much the same way that Firefox's nav bar (the awesome bar) remembers visited sites.

Ubiquity 0.1.2 came out at the end of October, while the first public release came out in August - so it looks like they're keeping to a 6-8 week release cycle.

Red Hat's Fedora Linux is currently in the process of developing Fedora Linux 11, but first the new distro will need a name. So in the spirit of openness Fedora has opened up the naming of Fedora 11 to a vote. The names under consideration are:

Personally I'm a fan of Leonidas (This is SPARTA!!) though Indomitable would be cool too.

The Fedora 10 release was named Cambridge and Fedora 9 was called Sulpher. Fedora actually has wiki page up now explaining the various name choices as well as the naming process itself. Basically there has to be a link between Cambridge and the new name in some way.

Voting on the new name is underway until January 9th and the winner will be announced on January 10th.